QueBIT Blog: IBM Satellite replacing the Secure Gateway - Part 1

Posted by: Walter Coffen

Jul 3, 2024 9:45:00 AM

IBM Secure Gateway

Beginning August 2024, IBM Planning Analytics on Cloud, PAoC, will begin replacing IBM Secure Gateway with IBM Satellite. The business problem that the Secure Gateway and Satellite tools solve is one of data security, specifically how to protect data in a hybrid environment with data in-transit between public and private cloud computing resources. Businesses have been shifting towards utilizing cloud resources like PAoC for a while now, but they still have significant local data, such as data warehouses and ERP systems in their own physical data centers or private clouds. The attractive benefits that caused the creation of PAoC, a cloud-hosted Platform as a Service (PaaS), meant that a safe and secure way of supplying data to PAoC needed to be found. IBM had available in its toolbox the Secure Gateway platform that creates encrypted tunnels between IBM Cloud Secure Gateway servers and private-cloud/on-premises data resources possessed by its customers. With Secure Gateway, data can safely flow data bi-directionally, keeping secure the “crown jewels” of financial data for the enterprise.

This change to Satellite should only impact your Secure Gateway data connections, and not the Cloud-to-Cloud connections you might have between PAoC and Snowflake, Salesforce, or Google BigQuery, etc. Cloud-to-cloud connections do not utilize a Secure Gateway tunnel, they just use ODBC calls directly from the PAoC TM1 server.

Since the advent of PAoC, security and encryption needs have become more demanding, and system architectures need more flexibility. Enter IBM Satellite, a newer tool designed to literally extend the borders of the hyper-secure IBM Cloud to its customer’s private cloud/on-premises servers, as if the customers owned IBM Cloud “satellite” locations. This allows IBM to be able to offer and execute a host of secure IBM Cloud Services locally. A powerful platform, but for PAoC, only the ability to have a secure encrypted tunnel between IBM Cloud/PAoC and private cloud/on-premises data was needed from the IBM Satellite platform. This is good to know since the Satellite documentation encompasses the whole IBM Cloud Satellite platform, while the Satellite Connector “Agent” is a small part that is ever touched directly in PAoC.

On Premises:

The older Secure Gateway (SG) uses a small profile “Client” that is a Windows service on-premises that initiates and anchors a persistent, encrypted, TLS v1.2 tunnel to IBM Cloud. PAoC uses that tunnel to send ODBC requests from PAoC to private-cloud/on-premises data sources to retrieve data for loading into Planning Analytics or presenting to PAoC users. Satellite will have a similar setup with its Satellite Connector “Agent” (SCA) that runs as a Windows service, but it is TLS v1.3 and supports the latest generation of VPC networking, has fewer limitations, more potential, etc.

Both the SG Client and SC Agent can also run as Docker containers hosted somewhere inside the customer’s private cloud/on-premises. For ODBC related activity, containers may be a better option for customers seeking high availability and load balancing as both the SG Client and SC Agent need multiple Windows servers per PAoC environment for that feature. Adding additional containers tends to be much simpler than adding additional Windows servers. High availability and load balancing are not typical requirements for ODBC sourcing and loading of data to Planning Analytics but could be if many users perform concurrent ODBC drill-through operations while using Planning Analytics. Drill-through is a long-time Planning analytics feature that allows for getting the supporting transaction detail that may show up as a single, aggregated number in Planning Analytics.

In the Cloud:

For PAoC , the Planning Analytics database server portion runs on Microsoft Windows 2019 servers that IBM patches and maintains; your remote desktop piece that is being deprecated in September is probably Windows 2016 server. When a TI process with an ODBC data source is executed in PAoC, it still uses the Microsoft ODBC libraries that are part of the PA server’s Windows operating system where the TM1 service is running. Each data source’s connection information is stored in an ODBC System DSN that gets created when a new data source is added via Planning Analytics Administration and Secure Gateway or Satellite Connector. However, there is only one tunnel association for the System DSN, it will either be to the Secure Gateway or to the Satellite Connector when used. Behind the scenes in IBM Cloud will determine which tunnel an ODBC request goes down based on the connector information.

The Big Switch:

It has been reported that once the Satellite Connector option is available in PAoC, we will see a Secure Gateway and a Satellite Connector tile in PAoC Planning Analytics Administration. These two PAoC tiles will co-exist for a few months while customers make the required transition to the Satellite Connector. The target completion date for this shifting is the end of September 2024, with an absolute end on October 26, 2024, which is the deprovisioning day for the whole IBM Secure Gateway platform.

This change to Satellite can be a bit of a challenge, but we at QueBIT can help plan and execute the switch. Check out Part 2: IBM Satellite becomes available when the Satellite tool will be accessible by PAoC.

Topics: IBMSatellite, IBMSecureGateway


Blog Search

Subscribe to Email Updates

Popular Posts

Recent Posts

Follow Me